Does WordPress send data about your blog to WordPress.org or Automattic?

Yes, it does. See Ticket #16778 wordpress is leaking user/blog information during wp_version_check(). All the details are in /wp-includes/update.php:

if ( is_multisite( ) ) {
    $user_count = get_user_count( );
    $num_blogs = get_blog_count( );
    $wp_install = network_site_url( );
    $multisite_enabled = 1;
} else {
    $user_count = count_users( );
    $user_count = $user_count['total_users'];
    $multisite_enabled = 0;
    $num_blogs = 1;
    $wp_install = home_url( "https://wordpress.stackexchange.com/" );
}

$query = array(
    'version'           => $wp_version,
    'php'               => $php_version,
    'locale'            => $locale,
    'mysql'             => $mysql_version,
    'local_package'     => isset( $wp_local_package ) ? $wp_local_package : '',
    'blogs'             => $num_blogs,
    'users'             => $user_count,
    'multisite_enabled' => $multisite_enabled
);

$url="http://api.wordpress.org/core/version-check/1.6/?" . http_build_query( $query, null, '&' );

$options = array(
    'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3 ),
    'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url( "https://wordpress.stackexchange.com/" ),
    'headers' => array(
        'wp_install' => $wp_install,
        'wp_blog' => home_url( "https://wordpress.stackexchange.com/" )
    )
);

$response = wp_remote_get($url, $options);

The user agent contains the URL of your installation, so all of these data are not anonymous anymore. To get some privacy back filter 'http_request_args' and change the data you don’t want to leak.

Here is a simple example to anonymize the UA string (from a recent blog article):

add_filter( 'http_request_args', 't5_anonymize_ua_string' );

/**
 * Replace the UA string.
 *
 * @param  array $args Request arguments
 * @return array
 */
function t5_anonymize_ua_string( $args )
{
    global $wp_version;
    $args['user-agent'] = 'WordPress/' . $wp_version;

    // catch data set by wp_version_check()
    if ( isset ( $args['headers']['wp_install'] ) )
    {
        $args['headers']['wp_install'] = 'http://example.com';
        $args['headers']['wp_blog']    = 'http://example.com';
    }
    return $args;
}

You can change that to …

add_filter( 'http_request_args', 't5_anonymize_ua_string', 10, 2 );

… and get the request URL as second parameter for your callback. Now you can check if the URL contains http://api.wordpress.org/core/version-check/ and change all the values as want cancel the request and send a new one. There is still no way to change just the URL, that’s why I created the patch in the ticket.

Related Posts:

  1. Should a 502 HTTP status code be used if a proxy receives no response at all?
  2. What is the difference between a URI, a URL and a URN?
  3. HTTP Status 504
  4. What is the difference between POST and GET? [duplicate]
  5. Do I need Content-Type: application/octet-stream for file download?
  6. Problem HTTP error 403 in Python 3 Web Scraping
  7. application/x-www-form-urlencoded or multipart/form-data?
  8. Problem HTTP error 403 in Python 3 Web Scraping
  9. application/x-www-form-urlencoded or multipart/form-data?
  10. Is 418 “I’m a teapot” really an HTTP response code?
  11. How to define the basic HTTP authentication using cURL correctly?
  12. How to define the basic HTTP authentication using cURL correctly?
  13. “Cannot GET /” with Connect on Node.js
  14. “CAUTION: provisional headers are shown” in Chrome debugger
  15. What’s the difference between a POST and a PUT HTTP REQUEST?
  16. How do I send a POST request with PHP?
  17. Why is it said that “HTTP is a stateless protocol”?
  18. What’s the difference between using application/csv vs text/csv? [duplicate]
  19. What are all the possible values for HTTP “Content-Type” header?
  20. What is the difference between PUT, POST and PATCH?
  21. What’s the difference between “Request Payload” vs “Form Data” as seen in Chrome dev tools Network tab
  22. Exception in thread “main” java.net.NoRouteToHostException: No route to host
  23. ndroid 8: Cleartext HTTP traffic not permitted
  24. Can PHP cURL retrieve response headers AND body in a single request?
  25. Setting Curl’s Timeout in PHP
  26. How are parameters sent in an HTTP POST request?
  27. Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?
  28. wget: unable to resolve host address `http’
  29. Are HTTP headers case-sensitive?
  30. When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?
  31. WordPress HTTP parameter pollution
  32. Hiding WordPress REST API v2 endpoints from public viewing
  33. Does WordPress only support HTTP 1.1?
  34. How do I troubleshoot responses with WP HTTP API?
  35. Is curl required?
  36. The resource was preloaded using link preload but not used within a few seconds
  37. using wp_remote_get to retrieve own url on local host
  38. Using wp-cron in backpress – problems with wp_remote_post, fsockopen error
  39. Running index.php from command line & load balancer health checks
  40. Enable CORS in wordpress
  41. Change port of wordpress
  42. How to get value of custom http header?
  43. Several times request to load plugins when sending one request
  44. why is $_REQUESt[‘redirect_to’] empty?
  45. Get “HTTP/1.1 406 Not Acceptable” when accesing my website with Delphi Indy Control
  46. WordPress HTTP 500 Error “page isn’t working”
  47. What’s the point in having “www” in a URL?
  48. For what is the “.well-known”-folder?
  49. Human readable format for http headers with tcpdump
  50. How to make wireshark filter POST-requests only?
  51. Image file urls still point to http instead of https
  52. How to download a file over HTTP?
  53. Possible reason for NGINX 499 error codes
  54. @ converted to %40 in HTTPPost request
  55. HTTP GET request in JavaScript?
  56. How to download HTTP directory with all files and sub-directories as they appear on the online files/folders list?
  57. What is HTTPD exactly?
  58. What is the quickest way to HTTP GET in Python?
  59. How to remove rest api link: in http headers?
  60. Why is WordPress redirecting from http to https on a local environment?
  61. How to receive HTTP POST in WP?
  62. HTTP request on localhost failing
  63. wp_remote_get() not retrieving pages properly
  64. Setting Last Modified HTTP Header on static Home Page
  65. WordPress post visible only those with a link
  66. Remove HTTP: from the site URL and just keep // in it
  67. WordPress – https : Css and Js files are not working (load on http instead of https)
  68. Redirect from https to http or from http to https? [closed]
  69. Remove the http protocol from images
  70. Can WordPress store comment cookies on two different computers?
  71. Disabling the X-Redirect-By response header
  72. problem using WP_Http with paypal nvp api
  73. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  74. Handling the response sent from a ruby on rails application in wordpress
  75. Divert http to https with WordPress on IIS
  76. Warning: Use of undefined constant HTTP_USER_AGENT – assumed ‘HTTP_USER_AGENT’ (this will throw an Error in a future version of PHP)
  77. CNAME site attempts to load files over HTTP instead of HTTPS
  78. WordPress 502 | Header Upstream send too big
  79. WordPress changing script source from https to http
  80. All content is HTTPS, but browsers warn of HTTP mixed content [closed]
  81. WordPress index.php seems to perform unwanted redirect 301
  82. Do I need a Cookie consent on a basic WordPress site?
  83. HTTP Error upload ( localhost )
  84. Why does WordPress uses HTTPS for JS, CSS on EC2
  85. After changing Site http to https, can’t access wp login page with a digitalocean hosting
  86. Specific Page/Post Need to Stay Non SSL
  87. WP Rest Api GET method restriction on route, but POST method also works
  88. Header already sent, error shows core files
  89. Modify wp headers on specific page
  90. How to send logs to plugin owner for a plugin?
  91. Navigation Bar displays vertically on Mozilla
  92. WordPress HTTPS – ‘… better to use HTTP for installation …’
  93. How can I create a private site that is inaccessible from the outside?
  94. Get full page HTML for a non-public WordPress page
  95. Detect if request is coming from wordpress conditional statement
  96. how to server over http and https with one installation
  97. How to change Akismet commenter privacy notice?
  98. Using the wp_remote_post response body
  99. How do you modify HTTP response headers on feed/?
  100. How to make Media Library files private?

Leave a Comment